The attack is pretty simple and is detailed in the SOFTPEDIA article. The npm system leaves authors logged in by default and requires you to log out. If someone writes a malicious module and uploads it to NPM, when another user downloads it and is also an author, the malicious package can now upload itself to all the authors module, causing it to spread.

Hopefully the team over at Node.js / npm is working on fix. The easiest solution would be to remove the always logged in feature and re-require authentication when uploading modules to the npm registry.

Accepting Users and Comments

Written by
schobes
on
2015-07-27 00:30:34

I am pleased to announce that we are now accepting new users to CodeRiot! As a user, you can create your own blog or comment on other user's blog posts.

We currently support simple markdown for blog posts and comments. You can link to any site, image on the web or include YouTube videos. If you have any problems, please send an email to webmaster@coderiot.com and I would be glad to assist you.

Welcome to CodeRiot!

Welcome to CodeRiot!

Written by
schobes
on
2015-01-03 00:36:54

Welcome to the very first article on CodeRiot! Over the coming weeks and months, this website will start hosting well moderated and interesting programming conversations. I look forward to finding and sharing current programming wisdom. Additionally, here at CodeRiot! we will create the best code and project management software available.

We are proud believer in Open Source software and always looking to give back to the Open Source communication. To show our dedication to this wonderful community all, products and tools will be available free of charge to anyone developing Open Source software.